Ongoing attack from >90,000 computers is creating a strain on Web hosts, too.

Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a "botnet" of infected computers that's vastly stronger and more destructive than those available today. That's because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

"These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic," Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks.

It's not the first time researchers have raised the specter of a super botnet with potentially dire consequences for the Internet. In October, they revealed that highly debilitating DDoS attacks on six of the biggest US banks used compromised Web servers to flood their targets with above-average amounts of Internet traffic. The botnet came to be known as the itsoknoproblembro or Brobot, names that came from a relatively new attack tool kit some of the infected machines ran. If typical botnets used in DDoS attacks were the network equivalent of tens of thousands of garden hoses trained on a target, the Brobot machines were akin to hundreds of fire hoses. Despite their smaller number, they were nonetheless able to inflict more damage because of their bigger capacity.

There's already evidence that some of the commandeered WordPress websites are being abused in a similar fashion. A blog post published Friday by someone from Web host ResellerClub said the company's systems running that platform are also under an "ongoing and highly distributed global attack."

"To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers," the blog post reported. "We did a detailed analysis of the attack pattern and found out that most of the attack was originating from [content management systems] (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories."

The blog post continued:

"Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IPs used are spoofed), it is making it difficult for us to block all malicious data."

According to CloudFlare's Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.

"At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website the company's Sean Valant wrote. "These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including 'special' characters (^%$#@*)."

Operators of WordPress sites can take other measures too, including installing plugins such as this one and this one, which close some of the holes most frequently exploited in these types of attacks. Beyond that, operators can sign up for a free plan from CloudFlare that automatically blocks login attempts that bear the signature of the brute-force attack.

Already, HostGator has indicated that the burden of this mass attack is causing huge strains on websites, which come to a crawl or go down altogether. There are also indications that once a WordPress installation is infected it's equipped with a backdoor so that attackers can maintain control even after the compromised administrative credentials have been changed. In some respects, the WordPress attacks resemble the mass compromise of machines running the Apache Web server, which Ars chronicled 10 days ago.

With so much at stake, readers who run WordPress sites are strongly advised to lock down their servers immediately. The effort may not only protect the security of the individual site, it could help safeguard the Internet as a whole.

104 Reader Comments

It seems like this would be a short lived botnet. The people who administer the servers are not completely incompetant (except for using a trivial password). A patch will be forthcoming and the botnet will die. Am I missing something?

It seems like this would be a short lived botnet. The people who administer the servers are not completely incompetant (except for using a trivial password). A patch will be forthcoming and the botnet will die. Am I missing something?

I don't know that there's anything to patch. If they get admin access they can create other user accounts, and as the article said, they can/are creating backdoors to give them persistent access.

The owners/administrators of most compromised devices have no idea that their device is compromised until some third party contacts them.

Most of the initial attacks appear to have come from Ukraine, then from a distributed botnet set of random infected users. We only have a few thousand users, so less logs to trawl through to see whats happening.

We mitigated it quite easily by using fail2ban to block wp-login attempts.We also use live monitoring via maldet (excellent product), to spot php dropper backdoor attempts (it emails us if something gets through), and take quick action to isolate, and find the issue in a given user account.

So far most of the initial issues were with timthumb vulnerabilities - this was heavy in late oct/nov, then a lull, then again in feb/mar, now its moved to password hack attempts.We eventually made a script to update all timthumb versions on our servers to the latest version, ran that manually, now have a report script running daily to find outdated versions and update automagically.Surprisingly that worked quite well, zero complaints!

Password hack attempts are fairly easy to sort though - just add a captcha.The increased load on a server when hundreds of concurrent attempts are made from different ip's though has caused intermittent load issues for us on otherwise healthy servers until we went with blocking ip's on failure via fail2ban.

It seems like this would be a short lived botnet. The people who administer the servers are not completely incompetant (except for using a trivial password). A patch will be forthcoming and the botnet will die. Am I missing something?

Yes, backdoor(s) are installed as part of the attack which means you need to guarantee you have cleaned the machine(s) successfully. What if this involves a BIOSKit? It would execute on fewer machines but would be immune to hard drive low level reformat, replacement, etc. Or as is becoming common a suite of malware. You may be right, but it is not guaranteed.

Password hack attempts are fairly easy to sort though - just add a captcha.The increased load on a server when hundreds of concurrent attempts are made from different ip's though has caused intermittent load issues for us on otherwise healthy servers until we went with blocking ip's on failure via fail2ban.

The mod_security solution looks pretty nice. But if you've never touched mod_security, well, you're probably happier than someone who has.

You can't just grab default rules and go, especially with WP - you'll end up with a non-functional site.

I'm actually looking at something a bit simpler now, which is a module called "mod_evasive". It's rules can be tweaked to block access (in apache, not WP) when a single IP has called for the same URL more than X number of times. This is much simpler than mod_security, but may be helpful if you need to get something up *now*.

So what's the scoop here? Seems like there isn't really anything a person can do at this point? I'm going to log in and make a 30 character password, but if it's already hacked then maybe there is no point.

I run the site http://www.outlawvern.com for an acquaintance (since I've never met him and he remains one of the few commercially published anonymous authors these days I don't know how else to refer to him lol) on DreamHost with a 1GB VPS and CloudFlare Pro. I always thought the Skye's requirements would be minimal oven a small community of commenters relative to overall page views but ever since moving to DreamHost I get rebooted everyday for exceeding resources. I'm always fully updated and run just a handful of plugins but performance is generally woeful. Could this or the Apache attack be the cause?

I wish there were some kind of easy consulting service for a small enterprise like this. As a Windows guy I created an online education site under IIS that served tens of thousands of simultaneous connections most of which were contributing more database writes than reads yet I never had performance problems on similar hardware. As a Linux newbie I have no idea where to start, what kind of hardware I'd need to support the traffic and load I have years of data to reference. That second plugin mentioned seems overkill and all this talk of mod_security and other system-level tools leaves me wanting.

This stuff is more than a little scary. I didn't even realize WordPress didn't limit login attempts with at least an extended timeout. I have a long random admin password and keep up with the patches, thought paying for CloudFlare would help keep me as hands-off as possible given my experience or lack thereof. Don't even know what to do at this point, just want decent performance and to live as an ostrich lol.

You joke, but I wonder has the internet always been this hostile? Sooner or later, something is going to have to change, just for the sake of being able to use the internet...at all.

Well, if you look at the progression of openness to where we are now, the Internet started out with public ftp servers, open mail relays, finger, guest telnet accounts, etc. Each of those has gone the way of cars with the doors left unlocked.

The attacks will get worse, but security will get more sophisticated. However, in the long run the Internet and everything attached to it will get as convoluted as the US tax code, with no chance of cleaning out the accumulated cruft. It will become an ongoing problem for future generations, just like everything else.

If the Internet melted down tomorrow I'd miss the porn and LOLcats, but something else will fill its place. Meanwhile, those beer mugs aren't getting any colder...

My host went ahead and basically blocked all login attempts to Wordpress, legit or otherwise. They provided some instructions to whitelist yourself in the meantime, which works for me. Some users are complaining a little, but I'd rather the host be safe than sorry. Even if you implement some plugins on your own site (I did), it still takes resources to run those as they get hammered and that slows everything else down. Best to just shut off the spigot IMO.

This is one of the few cases where security through obscurity can be useful. Changing the admin account's login name to something else will stop many blind attacks. You could also keep the "admin" account, but give it subscriber privileges to waste the attackers' time (but also your bandwidth).

jb510, seeing as you have been paying attention to your logs perhaps you can garner some additional information for us?

I'm curious does every IP that attempts a set of passwords seem to be trying its' own distinct set of passwords? Are multiple IPs seen to be using the same passwords in their failed attempts. (I realize this may require additional monitoring tools than just the standard logs.)

Mostly I'm interested to know how much control the distribution of the attacks has. Will a host that is detected and blocked have its' word list picked up by another host in the network and so forth?

With 90,000 IPs, if even a third of them were real systems, theoretically the whole 1000 or so passwords being attempted could be tried without ever using the same IP twice.

Edit:

Sidenote, my webhost of choice sent me an e-mail about this attack a few hours before I logged on to see it here at Ars. I'd say that's a surprising amount of effort from a company called "NoSupport Linux Hosting". Who's credo is that they don't offer support for their customer's sites, and they don't charge for it either.

Again, fail2ban works well for us, as while there may be multiple ip's attacking, we are seeing them try multiple sites on the same server, so they readily trigger our blocking mechanisms.

I may add another rule in fail2ban to block that string user agent + wp-login if it doesn't weed out enough of the botnet agents.So far no problem though for us other than an initial issue with load on some servers due to the amount of concurrent attempts.

I recommend a multi faceted approach -

Fail2ban or similar route dropping mechanism for anything dodgy looking in logs (eg multiple accesses to wp-login within a given time frame).

Captcha on the wp-admin side to block automated attempts (BWS captcha or image captchas are ok). This currently blocks their scripting attempts.

Maldet set to scan new files using lknotify - then email on discovery of dropper scripts, and quarantine stuff.

I don't know much about botnets or the efforts to combat them. But I often wonder, with all of the botnets out there performing DDOS attacks on sites, why there isn't a more concerted effort by the security community to examine the traffic, determine which ISPs the botnet computers are attached to, and inform both the ISPs and the owners of the zombie computers about the botnet. Surely the owners of the compromised PCs would want to KNOW they are compromised, and would cooperate with efforts to remove the botnet malware from their systems? Or, at the very least, the ISPs could cut them off?

Or is this kind of thing done all the time, and we just don't see it in the news?

The best I've had is when I've used actual log examples in blog posts about malware attacks, and the owners of the IP space asked us to remove the posts as clients were searching for them, and our posts came up first. So, name and shame is the best method.Most of the time though, ISP's couldn't really care too much about clients computers as long as they get paid. For servers its a different matter though, as it impacts things more - being on spam lists due to malware makes sure that people fix issues.

1) you can't fully .htacces protect wp-admin as some of the better known plugins like woocommerce required user access to the wp-admin directory, f$^%!

2) why not asking the user for a DIFFERENT administrator name when creating/installing the blog (joomla can do this)?

3) hardcoded url's in some plugins when accessing files, what is the point of having options that allow dynamic creation of URL's? If apache would have hardcoded installation dirs we would be in damn trouble.

Humans are opportunistic - you make it easy they use the easy way ... So if the developers make it easy or built in flaws what can you expect from the user?

This is one of the few cases where security through obscurity can be useful. Changing the admin account's login name to something else will stop many blind attacks. You could also keep the "admin" account, but give it subscriber privileges to waste the attackers' time (but also your bandwidth).

I don't know if I'd call that security though obscurity. It just changes the attack from a potential password compromise to a straight out DDoS attack. You effectively have the same effect if your admin users are using secure passwords or 2-factor authentication.

In fact, the only thing that's really remarkable about this is that because WordPress is both so common and so inflexible in it's configuration, it becomes an easy target. Add on to that the fact that most WordPress sites are on shared hosting providers, and the attack in aggregate becomes a DDoS attack against the hosting providers.

That said, some obscurity,would go a long way towards reducing the economics of this kind of straight brute force attack--and mitigating the current one. If the attackers can't count on the login page being at /wp-admin/login.php, it makes it much less attractive to bother with this approach instead of something else.

Seems to me just from your numbers that banning IPs after 10 failed logins or something for an hour or so, still reduces the number of passwords the botnet can try from 2 billion down to 900k without any negative side effects.

calladeveloper wrote:It is also good to see the creator of Wordpress confirm what I have been trying to tell everyone all day:

"Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great" - http://thenextweb.com/insider/2013/04/1 ... in-1-hour/

Seems to me just from your numbers that banning IPs after 10 failed logins or something for an hour or so, still reduces the number of passwords the botnet can try from 2 billion down to 900k without any negative side effects.

Gets even better - if you have multiple servers, you use the same rules for all servers, and synchronise blocks amongst servers. (rsync ftw!)

Many host owners should be deprived of all of their equipment. Apparently their skills, sense of responsibility and indifference about possible problems and threats make them unqualified for administration tasks. It's like driving a car without a driving license.Almost all of these security threats stem from wanton indifference and recklessness about proper management.

It is also good to see the creator of Wordpress confirm what I have been trying to tell everyone all day:

"Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great"

Actually that depends on the plugin. Sucuri's Tony Perez has been recommending Login Security Solution to me for a while (I didn't actually look at it until today). It throttle's logins based on more than just IP so in this case much better than Limit Login Attempts (a similar but different WP plugin)

Nice article...at least until the Cloudflare advertising part showed up....now it can only be labeled as hoax. Cool to see they still have free capacities right after the "biggest DDoS ever that slowed down the whole internet" though...lol.